Analysis
-
max time kernel
151s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 12:39
Static task
static1
Behavioral task
behavioral1
Sample
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
Resource
win10v20210410
General
-
Target
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
-
Size
674KB
-
MD5
1c0fbff0f6a18ce6d05e0026b7423b64
-
SHA1
f422c94cc824c175802df15408114b6284918e17
-
SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
-
SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
Malware Config
Extracted
C:\Users\Admin\Documents\!Decrypt-All-Files-gifixtg.txt
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion/
Extracted
C:\ProgramData\kwivvrl.html
http://jssestaew3e7ao3q.onion.cab
http://jssestaew3e7ao3q.tor2web.org
http://jssestaew3e7ao3q.onion
Signatures
-
CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
pwqidta.exepwqidta.exepid process 1912 pwqidta.exe 2496 pwqidta.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
svchost.exedescription ioc process File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CompareMerge.RAW.gifixtg svchost.exe File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\HideResize.RAW.gifixtg svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pwqidta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation pwqidta.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe -
Drops file in System32 directory 6 IoCs
Processes:
pwqidta.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat pwqidta.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini pwqidta.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-gifixtg.bmp" Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 3860 vssadmin.exe -
Processes:
pwqidta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU pwqidta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" pwqidta.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch pwqidta.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" pwqidta.exe -
Modifies data under HKEY_USERS 21 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E} svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\MaxCapacity = "15150" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320036003600640031006300610034002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000 svchost.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exepwqidta.exepid process 3148 5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe 3148 5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe 1912 pwqidta.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2984 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
pwqidta.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1912 pwqidta.exe Token: SeDebugPrivilege 1912 pwqidta.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
pwqidta.exepid process 2496 pwqidta.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
pwqidta.exepid process 2496 pwqidta.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
pwqidta.exepid process 2496 pwqidta.exe 2496 pwqidta.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
pwqidta.exedescription pid process target process PID 1912 wrote to memory of 736 1912 pwqidta.exe svchost.exe PID 1912 wrote to memory of 2984 1912 pwqidta.exe Explorer.EXE PID 1912 wrote to memory of 3860 1912 pwqidta.exe vssadmin.exe PID 1912 wrote to memory of 3860 1912 pwqidta.exe vssadmin.exe PID 1912 wrote to memory of 3860 1912 pwqidta.exe vssadmin.exe PID 1912 wrote to memory of 2496 1912 pwqidta.exe pwqidta.exe PID 1912 wrote to memory of 2496 1912 pwqidta.exe pwqidta.exe PID 1912 wrote to memory of 2496 1912 pwqidta.exe pwqidta.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeC:\Users\Admin\AppData\Local\Temp\pwqidta.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows all2⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
45ebd9f4549b39a53e154e3e3623dd31
SHA18c54554d4426d8c7e38937e739e652cddae0eaa4
SHA25681123ec2785f5854f168d86c98350198ab63b39fc7b47f6fbbf7ca255dd4c88b
SHA5127db324139e3b486304b30added569e41ce74cb0928010f4afa019b71d3a8b64f7861ccc87ef7be13d4e8e4c308fca98bb0bbf69a85d5e90e33c5a7d204ed6aa9
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
45ebd9f4549b39a53e154e3e3623dd31
SHA18c54554d4426d8c7e38937e739e652cddae0eaa4
SHA25681123ec2785f5854f168d86c98350198ab63b39fc7b47f6fbbf7ca255dd4c88b
SHA5127db324139e3b486304b30added569e41ce74cb0928010f4afa019b71d3a8b64f7861ccc87ef7be13d4e8e4c308fca98bb0bbf69a85d5e90e33c5a7d204ed6aa9
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
92c14d4b61232dd56bcc3e1ee03d9388
SHA1f34f9a88155642f94a8de37a497703ab72014a22
SHA2563994e4eacfa487acb8fe307ec95d2048c0b7adb94dab796beb9a3dfae00386aa
SHA512e3ad581248cb7f154eb9db288c28188735ffb2d926c741e3e247e43cfaf5d24549b03636af73802ad79a746e946c25d2a63c30bf4280c6afeeef07eaea7d7eff
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
a983755b4701cfcc2be111cdee9e7d2d
SHA10aa3d3d23f3eaa3cb085e6d06c890ec2b3dea76e
SHA256e83c1c3939d51f792fa9431238588490fcbfbe434b9b25898cbd71ba532c9d91
SHA51254036717dd6153b0a9f257f0199e662435a29ff0f0fb9a6df5ca66d5e70ba027b209d85c1443a289de343e76795b897236c7fee345b3851a5dc5dfe660d3c8b2
-
C:\ProgramData\Microsoft OneDrive\hmvkwmbMD5
355140c80b6de146f44c40b27df8c311
SHA15c76a1b2cc6618f7e14b0d757996458b0c5fa445
SHA256af9b5a44e60bf47e914ef8d85296191b9462e65bfbc3902afb95f519dcc457b5
SHA512471c18e34cc639896610881d55505c3c97be18e5ed8713258b1c506dc08954c8242a4544cd1cf94993491dd76150d82b7ac3accf8c19f539a142a1cf51fb95e9
-
C:\ProgramData\kwivvrl.htmlMD5
fa1222720800c2b28e18f55864bac742
SHA1d957d7223d1a4180b00ec3dc4e801260c58b7879
SHA2567ee4dedf8b9ec63fc6323134d9cbe336b7c4c7a7cd641577e8c4181817aa372f
SHA51273ae648fa63774a0755cfe30417e0e6a7ed769c3956406871a92bb6633ee69be00b39672b5ad655accead9158c571878228430f78e6c173366b0e7d78aa34825
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
C:\Users\Admin\AppData\Local\Temp\pwqidta.exeMD5
1c0fbff0f6a18ce6d05e0026b7423b64
SHA1f422c94cc824c175802df15408114b6284918e17
SHA2565213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA51240574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41
-
memory/736-120-0x000000002D070000-0x000000002D0E7000-memory.dmpFilesize
476KB
-
memory/1912-119-0x0000000001760000-0x00000000019AB000-memory.dmpFilesize
2.3MB
-
memory/2496-128-0x0000000000000000-mapping.dmp
-
memory/2496-131-0x00000000004B0000-0x00000000006FB000-memory.dmpFilesize
2.3MB
-
memory/3148-114-0x0000000000DB0000-0x0000000000FCA000-memory.dmpFilesize
2.1MB
-
memory/3148-115-0x0000000000FD0000-0x000000000121B000-memory.dmpFilesize
2.3MB
-
memory/3860-127-0x0000000000000000-mapping.dmp